Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Using IE7 or Firefox, clicking on links redirects me to totally random sites

Started by curlymatt , Jun 20 2009 04:37 AM

This topic is locked

38 replies to this topic

#1 curlymatt

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 20 June 2009 - 04:37 AM

Hi,

I've recently discovered what I believe is a trojan horse, which is hijacking links, and taking me to different sites from the one that I requested. This does not happen every single time, but is obviously causing a lot of worry and stress about whether the sites I am looking at are the correct ones. If anyone could help, that would be very appreciated.

My DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Matt Tremayne at 10:28:26.65 on 20/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.371 [GMT 1:00]

AV: PC Tools AntiVirus 5.0.0.16 *On-access scanning enabled* (Updated) {832E7172-E406-4BB2-8B19-6D29F2C93A98}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt Tremayne\Desktop\Unused Desktop Shortcuts\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Packard Bell
uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Control Center] c:\program files\asus\wlan card utilities\Center.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://forresterthecobblers.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matttr~1\applic~1\mozilla\firefox\profiles\emredqvb.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-18 130936]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-18 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-18 27656]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-17 185089]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-6-18 21904]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-17 55640]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235120]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181872]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-6-18 964496]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-18 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-18 1095560]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-9-7 16269]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-6-18 28568]
R3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\system32\drivers\L6TPortGX.sys [2008-4-15 609280]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-18 4368952]
S2 gupdate1c9f039e33305c6;Google Update Service (gupdate1c9f039e33305c6);c:\program files\google\update\GoogleUpdate.exe [2009-6-18 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-6-19 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-6-19 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-6-19 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-6-19 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-6-19 83344]
S3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2004-10-28 177264]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20051214.017\NAVENG.Sys [2005-12-15 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20051214.017\NavEx15.Sys [2005-12-15 750952]
S3 PentaxUsb;PENTAX Optio 50L on USB;c:\windows\system32\drivers\CoachUsb.sys [2004-11-24 50976]
S3 PentaxVc;PENTAX Optio 50L Video Capture;c:\windows\system32\drivers\CoachVc.sys [2004-11-24 44256]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2004-7-23 338056]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]

=============== Created Last 30 ================

2009-06-20 10:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-18 18:33 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-18 18:33 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-18 18:33 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-18 18:33 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-18 18:33 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-18 18:06 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-06-18 18:06 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-06-18 18:06 <DIR> --d----- c:\program files\Prevx
2009-06-18 18:06 67 a------- c:\windows\wininit.ini
2009-06-18 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-18 07:39 <DIR> --d----- c:\docume~1\matttr~1\applic~1\PC Tools
2009-06-18 07:39 28,568 a------- c:\windows\system32\drivers\AVHook.sys
2009-06-18 07:39 21,912 a------- c:\windows\system32\drivers\AVRec.sys
2009-06-18 07:39 21,904 a------- c:\windows\system32\drivers\AVFilter.sys
2009-06-18 07:39 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-18 07:39 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-06-18 07:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-17 21:55 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-17 21:55 <DIR> --d----- c:\program files\Avira
2009-06-17 21:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-17 20:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 20:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-17 20:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-16 21:25 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-16 11:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-16 11:34 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

==================== Find3M ====================

2009-05-07 16:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 16:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 10:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 10:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 10:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 16:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 16:26 583,168 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-06-26 15:37 51,346,390 a------- c:\documents and settings\matt tremayne\COMPLETE GUITAR PRO--SONGS...22000 FILES!! JUNE 2003.zip
2007-03-28 16:05 1,696,256 a------- c:\program files\TTDLOADW.OVL
2005-10-10 16:27 6,760,768 a------- c:\documents and settings\matt tremayne\Guitar Pro 4.1.0 + KeyGen.zip
2005-09-25 19:49 16,809,984 a------- c:\documents and settings\matt tremayne\GUITAR PRO 4.0.exe
2003-05-30 03:17 422 a------- c:\documents and settings\matt tremayne\layout.bin
2000-01-07 23:40 46,080 a------- c:\documents and settings\matt tremayne\setup.exe
1998-10-19 13:54 158,720 a------- c:\program files\CARMA2_HW.EXE

============= FINISH: 10:29:10.59 ===============

Thanks!

Attached Files

Attach.txt 18.55KB 12 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:07:19 AM

Posted 25 June 2009 - 07:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 25 June 2009 - 10:55 AM

Hi,

The problem is still occurring, and is mainly occurring on google.
WHen I carry out a search on google, clicking on the returned links will take me to a totally random page, and also give popups with adverts on as well.

Here is my DDS log, as requested:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Matt Tremayne at 16:50:34.93 on 25/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.476 [GMT 1:00]

AV: PC Tools AntiVirus 5.0.0.16 *On-access scanning enabled* (Updated) {832E7172-E406-4BB2-8B19-6D29F2C93A98}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Matt Tremayne\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Packard Bell
uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Control Center] c:\program files\asus\wlan card utilities\Center.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://forresterthecobblers.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matttr~1\applic~1\mozilla\firefox\profiles\emredqvb.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-18 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-17 185089]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-6-18 21904]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-17 55640]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235120]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181872]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-6-18 964496]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-9-7 16269]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-6-18 28568]
R3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\system32\drivers\L6TPortGX.sys [2008-4-15 609280]
S2 gupdate1c9f039e33305c6;Google Update Service (gupdate1c9f039e33305c6);c:\program files\google\update\GoogleUpdate.exe [2009-6-18 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-6-19 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-6-19 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-6-19 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-6-19 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-6-19 83344]
S3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2004-10-28 177264]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20051214.017\NAVENG.Sys [2005-12-15 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20051214.017\NavEx15.Sys [2005-12-15 750952]
S3 PentaxUsb;PENTAX Optio 50L on USB;c:\windows\system32\drivers\CoachUsb.sys [2004-11-24 50976]
S3 PentaxVc;PENTAX Optio 50L Video Capture;c:\windows\system32\drivers\CoachVc.sys [2004-11-24 44256]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2004-7-23 338056]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-18 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-18 1095560]

=============== Created Last 30 ================

2009-06-22 17:20 <DIR> --d----- c:\docume~1\matttr~1\applic~1\Malwarebytes
2009-06-22 17:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 17:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 17:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-20 10:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-18 18:33 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-18 18:33 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-18 18:33 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-18 18:33 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-18 18:33 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-18 18:06 67 a------- c:\windows\wininit.ini
2009-06-18 07:39 <DIR> --d----- c:\docume~1\matttr~1\applic~1\PC Tools
2009-06-18 07:39 28,568 a------- c:\windows\system32\drivers\AVHook.sys
2009-06-18 07:39 21,912 a------- c:\windows\system32\drivers\AVRec.sys
2009-06-18 07:39 21,904 a------- c:\windows\system32\drivers\AVFilter.sys
2009-06-18 07:39 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-18 07:39 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-06-18 07:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-17 21:55 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-17 21:55 <DIR> --d----- c:\program files\Avira
2009-06-17 21:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-16 21:25 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-16 11:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-16 11:34 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

==================== Find3M ====================

2009-05-07 16:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 16:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 10:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 10:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 10:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 16:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 16:26 583,168 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-06-26 15:37 51,346,390 a------- c:\documents and settings\matt tremayne\COMPLETE GUITAR PRO--SONGS...22000 FILES!! JUNE 2003.zip
2007-03-28 16:05 1,696,256 a------- c:\program files\TTDLOADW.OVL
2005-10-10 16:27 6,760,768 a------- c:\documents and settings\matt tremayne\Guitar Pro 4.1.0 + KeyGen.zip
2005-09-25 19:49 16,809,984 a------- c:\documents and settings\matt tremayne\GUITAR PRO 4.0.exe
2003-05-30 03:17 422 a------- c:\documents and settings\matt tremayne\layout.bin
2000-01-07 23:40 46,080 a------- c:\documents and settings\matt tremayne\setup.exe
1998-10-19 13:54 158,720 a------- c:\program files\CARMA2_HW.EXE

============= FINISH: 16:51:29.29 ===============

I have also attached the new log file.

Thanks,

curlymatt

Attached Files

Attach.txt 16.97KB 7 downloads

#4 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 25 June 2009 - 06:58 PM

Hi curlymatt,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please subscribe to this topic, if you haven't already.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:

m0le is a proud member of UNITE

#5 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 26 June 2009 - 02:19 AM

Hi mOle, yes I'm definitely here!

Thanks in advance for the help :thumbup2:

Will try and provide whatever information you need.

Thanks,

curlymatt

#6 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 26 June 2009 - 05:23 PM

Hi curlymatt,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of these three: Antivir, PCTools and Norton

Also

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Now let's see what's lurking...

We need to scan for Rootkits with GMER

Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
Allow the gmer.sys driver to load if asked.
You may see this window. If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

Then

We need to create an OTL Report

Please download OTL from the mirror:
[http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:[list]
OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

Thanks

Edited by m0le, 26 June 2009 - 05:25 PM.

m0le is a proud member of UNITE

#7 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 29 June 2009 - 05:01 AM

Hi curlymatt,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,

m0le

m0le is a proud member of UNITE

#8 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 29 June 2009 - 10:54 AM

Hi m0le,

I sent you a private message earlier.
Thanks for your help so far.

I have carried out the instructions, but my computer hasn't stored any information on the file that was saved for GMER!
I will try it again, and post you the information.
Also, how long does OTL generally take to run? As I ran that, but received an error message, but the software is still open, saying that it is 'Scanning HKEY_CURRENT_USER file associations keys...'

However, it isn't changing from this. There IS an OTL.txt file now on my desktop though. I can add that if that is useful?

I will rerun the GMER, and try and save the information when it completes.

Thanks,

curlymatt

#9 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 29 June 2009 - 11:47 AM

OTL.txt and Gmer's log would be a great start, curlymatt. :thumbup2:

m0le is a proud member of UNITE

#10 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 29 June 2009 - 03:45 PM

Hi m0le, it took a while, but managed to get them!!

Here is the GMER log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-29 21:29:35
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF73C2818]
SSDT 86B3AAC0 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF72A5514]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF73B6A20]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7294282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7294474]
SSDT F7C1788C ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF72A5D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF72A5FB8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF73B72A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF73C2910]
SSDT F7C178AA ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF72A43FA]
SSDT F7C17878 ZwOpenProcess
SSDT F7C1787D ZwOpenThread
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF73B72C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF73C2866]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF72A6422]
SSDT F7C178B4 ZwReplaceKey
SSDT F7C178AF ZwRestoreKey
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF73C20B0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF72A57D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7293F32]

Code 86B83C38 ZwFlushInstructionCache
Code 86BA3B1E IofCallDriver
Code 86B4F50E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 86BA3B23
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 86B4F513
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 86B83C3C
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00770001
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe[460] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01510001
.text c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe[460] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe[460] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe[460] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text c:\APPS\Powercinema\Kernel\TV\CLSched.exe[556] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00FB0001
.text c:\APPS\Powercinema\Kernel\TV\CLSched.exe[556] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text c:\APPS\Powercinema\Kernel\TV\CLSched.exe[556] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text c:\APPS\Powercinema\Kernel\TV\CLSched.exe[556] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe[592] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C90001
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe[592] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe[592] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe[592] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe[624] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01B00001
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe[624] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe[624] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe[624] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text c:\APPS\HIDSERVICE\HIDSERVICE.exe[636] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003A0001
.text c:\APPS\HIDSERVICE\HIDSERVICE.exe[636] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text c:\APPS\HIDSERVICE\HIDSERVICE.exe[636] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text c:\APPS\HIDSERVICE\HIDSERVICE.exe[636] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02DB0001
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 013F0001
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[872] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01330001
.text C:\WINDOWS\system32\services.exe[872] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[872] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[872] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[884] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01270001
.text C:\WINDOWS\system32\lsass.exe[884] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[884] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[884] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00EE0001
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00ED0001
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01280001
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 023A0001
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00770001
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01B70001
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1612] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1612] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1612] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B10001
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01010001
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Kontiki\KService.exe[1928] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01210001
.text C:\Program Files\Kontiki\KService.exe[1928] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Kontiki\KService.exe[1928] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\Program Files\Kontiki\KService.exe[1928] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2304] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008F0001
.text C:\WINDOWS\system32\nvsvc32.exe[2304] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2304] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2304] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2924] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003F0001
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2924] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2924] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2924] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\slserv.exe[3024] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003A0001
.text C:\WINDOWS\system32\slserv.exe[3024] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\slserv.exe[3024] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\slserv.exe[3024] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[3044] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 007D0001
.text C:\WINDOWS\system32\svchost.exe[3044] kernel32.dll!GetStartupInfoA 7C801EEE 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[3044] kernel32.dll!CreateMutexA 7C80E94F 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[3044] kernel32.dll!GetCommandLineA 7C812F2D 6 Bytes JMP 5F0D0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortInitialize] 86F9EA48
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortNotification] 86F9EA58
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortNotification] 86F9E690
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortInitialize] 86F9E680
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD2908
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD28F8
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD2540
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD2530
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD2178
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD2168
IAT amsint.sys[SCSIPORT.SYS!ScsiPortNotification] 86F9DD50
IAT amsint.sys[SCSIPORT.SYS!ScsiPortInitialize] 86F9DD40
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD1008
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD1018
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD1C50
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD1C40
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD1888
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD1878
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD14C0
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD14B0
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortNotification] 86F9C540
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortInitialize] 86F9C530
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD0018
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD0008
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD0D50
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD0D40
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortNotification] 86FD05C0
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FD05B0
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortNotification] 86F9B018
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortInitialize] 86F9B008
IAT perc2.sys[SCSIPORT.SYS!ScsiPortNotification] 86FCF018
IAT perc2.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FCF008
IAT hpn.sys[SCSIPORT.SYS!ScsiPortNotification] 86FCFD50
IAT hpn.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FCFD40
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortNotification] 86FCFA88
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortInitialize] 86FCFA78

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86EA4B10

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )

Device \FileSystem\Fastfat \FatCdrom 86F41EB0

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Rdbss \Device\FsWrap 86F6D7C0
Device \Driver\Cdrom \Device\CdRom1 86D1D728
Device \Driver\atapi \Device\Ide\IdePort0 86D1F5A0
Device \Driver\atapi \Device\Ide\IdePort1 86D1F5A0
Device \Driver\atapi \Device\Ide\IdePort2 86D1F5A0
Device \Driver\atapi \Device\Ide\IdePort3 86D1F5A0
Device \Driver\atapi \Device\Ide\IdePort4 86D1F5A0
Device \Driver\atapi \Device\Ide\IdePort5 86D1F5A0
Device \Driver\atapi \Device\Ide\IdeDeviceP5T1L0-14 86D1F5A0
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-c 86D1F5A0
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1f 86D1F5A0
Device \FileSystem\Srv \Device\LanmanServer 86224978

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86F3EE38
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86F3EE38
Device \FileSystem\Npfs \Device\NamedPipe 86F73EE0
Device \FileSystem\Msfs \Device\Mailslot 86F543E0
Device \Driver\d347prt \Device\Scsi\d347prt1Port6Path0Target0Lun0 86D31130
Device \Driver\d347prt \Device\Scsi\d347prt1 86D31130
Device \FileSystem\Fastfat \Fat 86F41EB0

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 86F4B490
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 86F4B490
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 86F4B490
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 86F4B490
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 86F4B490
Device \FileSystem\Cdfs \Cdfs 86F54488

---- Modules - GMER 1.0.15 ----

Module _________ F7327000-F733F000 (98304 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\MSIVXypudoewevhxbopmpbiqmltewjvultdwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1084] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x88 0x2E 0x20 0x4F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXypudoewevhxbopmpbiqmltewjvultdwk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXturcssvwppomgkrqhblqbwdlldbgublx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXypudoewevhxbopmpbiqmltewjvultdwk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXturcssvwppomgkrqhblqbwdlldbgublx.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{18E278A0-F307-DE32-6819-9926C217BDF8}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{18E278A0-F307-DE32-6819-9926C217BDF8}@iaohmeonhojmbehffb 0x6B 0x61 0x68 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{18E278A0-F307-DE32-6819-9926C217BDF8}@haehcoegfcbbcdkc 0x6B 0x61 0x6B 0x66 ...

---- Files - GMER 1.0.15 ----

File C:\Avenger\MSIVXcount 4 bytes
File C:\WINDOWS\system32\drivers\MSIVXyfvkkymeqhcfuxdafrxnsswespiqqoug.sys 79872 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

I've attached the files for OTL and Extras, if thats a problem, I can paste them into another reply.
Hope this info helps!

Thanks,

curlymatt

Attached Files

OTL.Txt 118.26KB 3 downloads
Extras.Txt 41.86KB 2 downloads

#11 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 29 June 2009 - 07:24 PM

Hi curlymatt,

Gmer's found the rootkit that's causing much of your problems.

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:

m0le is a proud member of UNITE

#12 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 30 June 2009 - 12:28 PM

Hi m0le,

I ran Combofix, I tried to disable my virus software, but it told me 2 were still running, but combofix then ran, and produced the log, which I've now attached to the thread.

Hope this helps!

Thanks,

curlymatt

Attached Files

ComboFix.txt 17.56KB 20 downloads

#13 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 30 June 2009 - 05:46 PM

Hi curlymatt,

Combofix removed MSIVX.

Can you run the next two tools and we'll see where we are at.

Can you run MBAM, I can see that you have this already, on Full Scan

Then

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Thanks curlymatt :thumbup2:

m0le is a proud member of UNITE

#14 curlymatt

Topic Starter

Members
21 posts
OFFLINE

Local time:01:19 PM

Posted 03 July 2009 - 02:10 AM

Hi m0le,

I've tried to run MBAM twice, and it has run each time for about 2 hours, and then crashed. :thumbup2:

Is it wortk going straight onto the Kaspersky Online scan first and posting those results?

Thanks,

curlymatt

#15 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:12:19 PM

Posted 03 July 2009 - 04:13 AM

Hi curlymatt,

Let's try and get MBAM to run.

MBAM is often stopped by malware. Please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr

Then, whether it works or not, please run Kaspersky. :thumbup2:

m0le is a proud member of UNITE